Description
An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.
Published: 2026-05-08
Score: 7.3 High
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when user input passed through the 'key' GET parameter to /admin/index.php is used directly in OS command execution without proper sanitization. This flaw allows an attacker who does not need authentication to inject and run arbitrary operating‑system commands with root privileges on the server. The weakness corresponds to a command injection flaw (CWE‑78) and could fully compromise system integrity, confidentiality and availability.

Affected Systems

Control Web Panel is affected. All installations prior to version 0.9.8.1209 are vulnerable. The attack requires the presence of Softaculous or SitePad, which must be installed for the flaw to be exploitable.

Risk and Exploitability

Because the flaw grants root‑level command execution, the potential impact is catastrophic. The CVSS score of 7.3 denotes a high severity. An EPSS score of 1% indicates a very low probability of exploitation, but the attack vector is an unauthenticated HTTP request to the API endpoint. The vulnerability is not listed in the CISA KEV catalog, but its criticality warrants immediate attention.

Generated by OpenCVE AI on June 18, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Control Web Panel 0.9.8.1209 or later, which removes the unsanitized command execution path.
  • If an upgrade is not immediately possible, disable access to /admin/index.php or remove the 'api' and 'key' parameters from the URL path.
  • Remove Softaculous or SitePad from the system, or ensure they are not exposed to the public web interface, to eliminate the conditional component required for exploitation.

Generated by OpenCVE AI on June 18, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Root Command Injection in Control Web Panel via 'key' Parameter

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Root Command Injection in Control Web Panel via 'key' Parameter

Tue, 16 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title Command Injection via Unsanitized 'key' Parameter in Control Web Panel API

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Command Injection via Unsanitized 'key' Parameter in Control Web Panel API

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Command Injection in Control Web Panel via Unsanitized GET Parameter

Sat, 16 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Command Injection in Control Web Panel via Unsanitized GET Parameter

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Centos-webpanel
Centos-webpanel centos Web Panel
Vendors & Products Centos-webpanel
Centos-webpanel centos Web Panel

Sat, 09 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Root-Privileged Command Injection in Control Web Panel via Unsanitized API Parameter

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Root-Privileged Command Injection in Control Web Panel via Unsanitized API Parameter

Fri, 08 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection via 'key' API Parameter in Control Web Panel before v0.9.8.1209

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 08:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection via 'key' API Parameter in Control Web Panel before v0.9.8.1209
Weaknesses CWE-78

Fri, 08 May 2026 07:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.
References

Subscriptions

Centos-webpanel Centos Web Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T14:13:43.786Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67888

cve-icon Vulnrichment

Updated: 2026-05-08T05:52:30.620Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T07:16:28.487

Modified: 2026-06-17T09:58:13.350

Link: CVE-2025-67888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T08:30:04Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')